Keynote at the European Identity & Cloud Conference 2015
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2015
Keynote at the European Identity & Cloud Conference 2015
So the next session, the last session before we break up then in the, in the different sessions is on privacy. And it's more concretely on the upcoming privacy regulation from the EU data, the EU, and this keynote is separate in two parts. We are going to have a scientific part and a real life autonomy part, or to say, and let me welcome for the first part Quang. Good morning, Quang. You are from queen Mary university of London. That's right. I have many hats. I'm an unnatural hybrid of computer scientist and lawyer, mostly lawyer.
And I've been working on cloud law projects at queen Mary since 2010, including four chapters on data protection in a book on cloud computing law that OUP published in 2013. And I'm also a consultant lawyer for a law firm masons, which actually happens at the Munich office. Interesting.
Oh, okay. Interesting. So you answered all my question. The floor is yours, Right? Thank you very much. Okay. Just to set the scene, I'm going to outline the current law and some key points about the new law. And then Castin is going to pick up on just a couple of those points because we just don't have time to cover all of them. So in terms of current law, the EU data protection directive dates from 1995. So it's quite long in the tooth and it regulates the processing of personal data.
That's data relating to data subjects, live human beings, including non a people because it's considered a human, right. And there are exceptions from data protection law requirements such as for household use personal use national security, et cetera. And the purpose of this directive was actually twofold. It was meant to enable the free flow of personal data within the EEA.
Well, originally the community now the European economic area, by trying to promote uniform at minimum high standards of data protection across the E a, but it is not fully harmonized it's directive, which means it's implemented by individual member states and they can implement it differently in some ways. So the example I like to give is security, where the UK data protection law on security is about four lines. And in Italy, it's about four pages. So it's quite different. Now the obligations under the directive and the liability is based on the definition of personal data as a trigger.
So something is personal data. Then the law applies. If it's personal data, if it's anonymous data, the law does not apply. But the problem is it's actually quite hard sometimes to tell if something is personal data or not. So it applies to the automated processing of personal data. And that is a very broad concept. It's broader than the it view of processing as compute computational operations. Pretty much anything that you can do with, or two digital data is processing. And that includes mere storage, transmission display, et cetera.
The obligations under data protection law are on the controller, which could include non a persons. And the controller is the person who controls the purposes and means of processing personal data. So an individual human being could be a controller charities could be controllers. It's not just commercial organizations. And the controller is the person who's on the hook for complying with data protection, law obligations, which include things like fair processing, purpose limitation, security obligations, deletion of data past its use.
The purpose for which is used cetera, and also restrictions on the transfer of personal data outside EEA territory. And there are also provisions when a controller wants to use a processor, a service provider to help it with its processing. So onto the regulation, this actually started in 2012, even earlier with consultations by the European commission, issued a draft proposal in 2012 to update and modernize the directive. And there's a separate directive on crime and law enforcement processing of personal data. But this update proposal is in the form of a regulation, not a directive.
I'll talk a bit more about the difference later. So last year, the European parliament then had a look. They came up with their own different version of the regulation.
Now the, the council of ministers, which is effectively EU member, state governments, they've been debating yet. Another version, I've put a link there to the latest available full version in December, 2014. And they are negotiating this internally within the member states on the basis that nothing is agreed until everything is agreed. So they're going through bit chapter by chapter agreeing sections, but they might actually decide to come back and revisit things that had already been agreed until the whole package has been agreed. So there's a lot of horse trading that's going on.
I've also included link there to a comparative table, which is quite useful if you've got insomnia, it's many hundred pages long and it was leaked last month. And it basically shows side by side each version for, for internal discussion between the EU institutions. So there is a lot of political pressure for the council to agree its own version internally by sometime in June I E next month, some people say it'll happen. Other people say, well, you know, it's too difficult. It may not.
But the, the main point is that the different EU institutions have to agree the same text before it can become law. And I provide a link there to a flow chart from the European parliament showing the fairly complicated process that's involved. So there will be even after the council agrees, there will be a so-called tri informal discussions between commission council parliament. And there's a formal conciliation procedure that can be invo if they can't agree, just, just to try and get them to agree.
So this is very much a moving target, and there's probably going to be lead time of maybe one or two years after it's adopted. So we're probably looking at if it's adopted this year, which is unlikely, maybe 2016, then we are looking at 20 17, 20 18, probably at the earliest. And also another point I wanted to mention is that this is a regulation, not a directive. A directive is sorry. A regulation is directly effective in all member states immediately from the date it's said to be effective, whereas a regulation, sorry, a directive has to be implemented international law.
So they're trying to improve harmonization by making it a regulation, not a directive, but that a regulation isn't actually the answer because there are some areas which are left to member, state discretion. I've put a link there to the Amber blog by a data protection expert who actually says, well, there's so many possibilities in the council version for member states to actually provide exemptions. And also even with a regulation, there might be ambiguities and I'm afraid in this regulation, there are quite a lot of ambiguities.
So different member states could interpret them differently if they choose to. So a regulation doesn't necessarily mean full harmonization, although that's the aspiration. So just a timeline. I produced this timeline, comparing the directive, the current data protection directive with the draft regulation. And you'll see that the current directive actually took five years to agree. And in the middle, the commission actually went back to the drawing board and started again and produced a new proposal because there were so many objections.
It was the most controversial legislation in the EU ever at the time. And now it it's proving to be the most controversial again. So who knows exactly when we are going to see the regulation. So here are some of the key changes. It is very much a moving target.
As I said, there are three versions. And what they produce at the end might actually bear little resemblance to any of these versions. Who knows. Hopefully it'll be fairly similar, but the major points are there is going to be a strengthening of data protection authority powers. The supervisory authorities. There is a question mark about funding because filing and registration fees are going to be abolished. So where are the DPAs gonna get the money from to actually en enforce their, you know, fantastic new powers? I don't know.
That's, that's gonna be a difficult issue. There will be audits, powerful audits. And of course this prospect of huge fines that Carson's gonna be talking about. There are also going to be new provisions designed to enhance accountability. And we have a panel session tomorrow on this, but things like impact assessments prior consultation of supervisory, authorities codes of conduct data protection by designer, default certifications and seals, et cetera. So that that's gonna be a fairly major area. Another area is to do with processes, service providers.
I, I dunno how I suspect. I know the answer. How many people here are from service providers.
Nobody, no a few. Okay.
Not, not as many as I thought, but this is a major point to bear in mind. Service providers processes are going to be directly on the hook under this regulation at the moment under the directive, they are directly liable only in a few countries, but under the regulation, there's direct liability on processes. I E service providers and sub providers for things like security, breach notification, possibly data protection, impact assessments, et cetera. And the contracts with processes are going to change. They're gonna be beefed up. There is no grandfathering.
So that means that service providers processes will have to enter into new contracts with controllers after this comes into force. So this is a major thing. There's no time to talk about this in detail at, at my keynote at cloud scape in March, I actually talked for 20 minutes just on this. So if anybody is interested, come and have a word with me afterwards, but I think this is a major issue that service providers are gonna be directly on the hook under the regulation.
The, the provisions on security are expanded. I've put quotes there because it's not just security in the technical. It sense. It also includes data protection obligations generally. And you've probably heard about the new breach notification obligations that are going to be brought in notification to supervisory authorities and data subjects in some situations. Another important area is that the rules on restricting the export of personal data outside the EA are going to be tightened up. They're not actually gonna be relaxed. They're gonna be tightened up.
So it's gonna be harder and more expensive and difficult to transfer personal data outside the E a they're also provisions, which again are very much up for debate as to what the final form will be possibly tightening up the rules and consent notification to data subjects, such as the legitimate interests of controllers. There might be more relaxed rules for PSDO data, and there are new rules on profiling. Whereas at the moment, it's about automated decision making.
There are also some issues to sorry, some points to try and increase data, subject rights, so access to their data, not necessarily with any fees, the famous right to be forgotten rights or data portability, possible, class actions, et cetera. And Carson is gonna talk about jurisdiction and the so-called one stop shop.
So in, in summary, I'm not sure that it's necessarily going to be the most advantages law for anybody except perhaps public sector bodies who might have more relaxed requirements and lawyers who are gonna have a lot to do. If this goes through just, I'm not gonna go through this, but I did some other infographics showing the scale, comparing the directive with the regulation, and you can see, you know, there's a lot more amendments in parliament now than there were before. There's a lot more member states to have to agree.
It there's a lot more footnotes showing disagreements among the council than with the directive. And that's a table that summarizes it all. Thank you very much. Thank you so much. I would like you just to sit down and wait for Carson. Let me introduce Carson Keens. Carson is federal Analyst with copy. A call is a legal data protection officer and lawyer and attorney. So all that stuff, I don't know.
Well, you said I'm gonna be the practical guy if I understood you. Right. And I think that's very nice my day you is made. Thank you.
Well, thank you Quan first for giving this really good overview. Let me, as you introduced, put your attention towards the conflict on of interest. That's behind that. We have individuals traditionally caring for their privacy, at least in theory, sometimes in practice. Then we have companies having discovered the last years, that data is the new gold and having understood that I brought you some figures about the concerns of privacy. This is just random figures from the European commission. More than 90% of the Europeans are a bit scared of mobile apps taking their information.
And they're not sure what happens with it. 17 per 70% of the Europeans are generally concerned about their information being taken away and used for another purpose than they thought. We all know that in practical life or in practice, people don't really act accordingly to those concerns, but those concerns are there. So it's not very difficult to understand that privacy concerns are in the way of a better business development. The value of data at the same time is increasing heavily up to 2020 will be 1 trillion annually increasing to scale that and find a balance.
The European commission has in the last years, tried to find new regulations on data protection. And let me focus on what's new Quan introduced the key changes and you see the little checks there. I just want to focus on three of them. And those three are not even substantive changes. They're not the right to be forgotten. They're not the duty of privacy by design. All of that we will have in our panel today. And tomorrow to be discussed, I wanna focus on more formal changes, but for me, those are the real key changes.
First it's the jurisdiction, as Quan mentioned, let me introduce that to you. As the territorial scope of the GDPR, then we have the one stop shop. The lead authorities introduced by that for data protection. We have that in other fields of law already, but now we'll have it for data protection, tremendous change. The data protection authority powers will be strengthened. We have serious sanctions coming up. That's the three major changes in privacy. And I think that's gonna be a very big change for business.
Number one, territorial scope we have up to now and in the future, the situation that the GDPR will apply to the processing of personal data, if a company has its CSE within the EU. So the change will be that even if you might not be seated in the EU and you have your headquarter in the us, for example, or in Asia, you, in most cases, if you're a service provider or you have some other issues targeting at European citizens, then you will be hooked as Quanset with the GDPR. So it's an immediate application of European law. We are expanding our understanding of privacy throughout the world.
In the past in Europe has been the case just the other way around. We have been introduced to other legislations and now the European commission tries to revert that and really tries to unfold. A whole understanding of privacy, the own understanding of privacy to everyone else that's offering goods or services to EU citizens or any kind of monitoring that will take place. Also under false GDPR. Something else about the territorial scope companies will not be allowed to hand over data from the EU to third countries. Authorities, that's gonna be a key issue.
If you think about the cloud, certainly cloud service providers amongst others will be under following, for example, us American laws. And for that reason completely legally, and Listly have to hand over information to authorities. I'm not talking about any NSA issues or anything like that. I'm talking about very traditional needs of handing over data to authorities. So this in the future may not take place anymore. As soon as European citizens data will be affected. We haven't had that so far.
So there will be a very large discussion after I think 2017, when this is at the latest becoming a practical issue in, in real life. Because I think no one has really understood so far that this is one of the major issues. You may not use the cloud in if you're in, in Europe and you have to fear that your information will have to be passed on to authorities in the us or any other parts of the world. Eventually that's something that you need to understand if you take your customer's data and bring it to any cloud, and this regulation is something that's not even heavily discussed.
I think we will have that for pretty sure. Then we have the lead authority. That's a tremendous change as well up to now. We not only have, we don't only have 28 national laws, we also have even more national and local regulators. Let it be more than a hundred, maybe without within Europe in the future. We will have that one stop shop, make it impossible to work with one supervisory authority. I don't know if you remember Google street view. I think out of those 28 authorities, you had like about 30 opinions on it.
So that was a situation I think not very acceptable for all players, trying to find out a good solution for their applications and services throughout the EU. So it's gonna be faster decisions I hope and the consistency of decisions. If you have a common approach throughout Europe, the lead authority will also, I think, and that's even more important lead to a situation where individuals will always be able to go to their local data protection authority today individuals may have to travel.
So if you want to discuss, for example, Google's practice of handling your personal information or Facebook, you, you might have to go to Ireland to the authority there to discuss that. And this is gonna change. You will be able to discuss with your own authority in your country. And that's for some reason, a large change. I don't know if you, if you, if you see that in practice, does this change anything? I think so this is the office of the Irish data protection commissioner. It's only the first floor, this right around the corner is Google's headquarter for Europe.
So this is how things go today. They have to deal with each other other, and they just have to deal with the Irish authority because they're based there in the future. You can go to a larger authority and that's gonna make that change. Then we have sanctions. We have a warning in writing that may happen already today. It's not a big change. We will have data protection audits eventually upcoming, and they might even be periodic.
So once you have committed data protection error in your organization, you might in the future face periodic audits for longer years and waste finds that will change as well. They're not all with, with the same level of race, the commission and the parliament. It's between 2% and 5% of the annual turnover worldwide. We're talking about a group turnover, not about a single legal entity turnover. So that's really harmful to my understanding. And even if it stays with the 2% with this, which is the lowest I can imagine, I think that's a really harsh situation.
Upcoming, possibly you might vote for the a hundred million of euros a year if you feel better with that. So that is just three major changes from the formal, the formalistic side. I think those already will make a difference in the future. If you care for that tomorrow, starting 11, we have the more substantive changes such as privacy by design. We will have data protection, privacy impact assessments, and the right to know the right of information of the user will be raised a lot. So if you have been hacked, make sure that within 24 hours, you will tell your users.
That's a very short period of time and all of that we will discuss tomorrow, today and tomorrow, Scott, David, and I will go through a very interesting panel throughout cloud risk and tomorrow more focus on data privacy and cloud So Much. Could you please, could you please join us for a second, just very short question from your point of view, this, this, we heard yesterday that the, the value of identity management is in consumer slash customer relationships, relationship information, but this is exactly what is going to be protected.
So how does that change business model of many companies in the room? What do you think?
Well, I don't think it necessarily changes the business model, but compliance is going to be quite important and ways to help you comply because you're exposed to huge fines much more than before. So it's gonna be a bigger risk. The legal risk is gonna be bigger. And like I mentioned, service providers are gonna be on the hook.
They can, they can be sued or fine directly, even if it was the controller's fault and then left to try and claim back from the controller, which I think is quite major. Well, you know, two Laura three opinions.
So I, I have a different opinion on that. Okay. I think there will be tremendous changes. Actually. I think we will see business models where you count on informing beforehand what you do. So you will talk to your customer and possibly you will even compensate for your information. So I think the good of information, the, the good of data will be part of the deal. The more data you offer, the, the better it's gonna be your rate.
We already see that in the insurance business, in Europe, nowadays with people being tracked and for that reason, maybe paying less or even more, if they have a hell of a driving. And I think this is gonna be the change in business models, especially on online models. I see that upcoming and I see all the, all the major companies I work with already thinking slightly starting to make this good something tradeable. So In some ways it may be more restrictive because the things like the rules on profiling are gonna make it harder for some business models, right?
So, So pipe technology providers should think about that and invent new solutions that are complying in advance, being privacy by design, falling privacy by design principles. Consumer wants to be paid, I guess. Thank you very much.
Again, thank you for that overview. As you mentioned, there will be more on this tomorrow at 11 in this room.